Security

Learn more about the applications permissions and Mergify's security obsession.


At Mergify, security is of utmost importance to us. We understand the crucial role we play in the software development process and are fully committed to earning and maintaining the trust of our users. Our Security page is dedicated to providing transparency regarding our security measures and practices. We continually strive to improve the safety and reliability of our platform, ensuring that your repositories and code are well-protected.

Our Trust Report is designed to provide transparency and instill confidence in our customers. By sharing our compliance reports and offering insights into our security practices, we aim to demonstrate our unwavering dedication to safeguarding your valuable information.

We invite you to explore this documentation and learn more about how we prioritize your trust. Click the button above to access our Trust Report page, where you will find in-depth information on our security measures and our ongoing commitment to protecting your data.

Mergify hosts a public Bug Bounty program with HackerOne. If you’re an independent security expert or researcher and believe you’ve discovered a security-related issue on our platform, we appreciate you disclosing the issue to us responsibly, and thank you for your time and expertise.

Contacting Us About Security Concerns

Section titled Contacting Us About Security Concerns

At Mergify, we prioritize the security of our platform and the safety of our users. If you have any security-related questions, concerns, please reach out directly to our dedicated security team at security@mergify.com.

We appreciate your collaboration in ensuring the security of Mergify and its community. Rest assured, all communications related to security matters will be treated with the highest priority and confidentiality.

GitHub App Required Permissions

Section titled GitHub App Required Permissions

Below is the list of the required permission on GitHub for Mergify to function properly.

PermissionAccessUsage
Repository: ActionsRead-onlyUsed to read workflow details.
Repository: AdministrationRead-onlyUsed to access team details.
Repository: ChecksRead and writeUsed to read and post checks.
Repository: Commit statusesRead-onlyUsed to read checks status.
Repository: ContentsRead and writeUsed to read repository content and write (merge).
Repository: IssuesRead and writeUsed to close issues on merge.
Repository: MetadataRead-onlyAccess repository metadata.
Repository: PagesRead and writeWrite required to trigger page workflow on merge.
Repository: Pull requestsRead and writeUsed to read and edit pull requests.
Repository: WorkflowsRead and writeUsed to read workflows and merge pull requests modifying workflows.
Repository: Merge queuesRead-onlyUsed to receive GitHub merge queues events.
Organization: MembersRead-onlyUsed to list organization members.
Account: Email addressesRead-onlyUsed to read user email addresses.

To perform any actions on Mergify, such as adding a pull request in a merge queue or triggering a command, a person must have sufficient access to the relevant account or resource. This access is controlled by permissions. A permission is the ability to perform a specific action. A role is a set of permissions you can assign to individuals or teams.

Mergify users inherit their roles directly from GitHub roles.

That means that a user that has the Read role for a repository in GitHub will also inherit this role in Mergify.

FeatureReadTriageWriteMaintainAdmin
View the merge queues
Freeze a merge queue
Unfreeze a merge queue
Pause merge queues
Manage API keys
Manage Mergify subscription

Mergify commands are restricted by default and have their own mechanism that can be modified. See Commands Restrictions for changing the default.

Managing IP Addresses Allowed for the GitHub App

Section titled Managing IP Addresses Allowed for the GitHub App

GitHub allows to configure the list of IP adresses that a GitHub App is allowed to use to access GitHub.

Mergify services do not use a single static IP address. Therefore, you must allow the AWS EC2 us-east-1 IP addresses.

This list can be retrieved on AWS website or via this command:

curl -s https://ip-ranges.amazonaws.com/ip-ranges.json -o- | jq -r '.prefixes[] | select(.region=="us-east-1" and .service=="EC2") | .ip_prefix'